Which security model uses an access control triple and also requires separation of duty?

A.
DAC

B.
Lattice

C.
Clark-Wilson

D.
Bell-LaPadula

Explanation:
The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP],
object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions
(through access triple) and separation of duties.When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly
protected, which is referred to as a constrained data item (CDI), and another subset that does not require a
high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data
(CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software
procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update
information held within her company’s database, she will not be allowed to do so without a piece of software
controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the
database, and then the program will control what Kathy can and cannot do to the information in the database.
This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI
without using a TP.
The Clark-Wilson security model uses division of operations into different parts and requires different users to
perform each part. This is known as Separation of Duties.
The Clark-Wilson model outlines how to incorporate separation of duties into the architecture of an application.
If a customer needs to withdraw over $10,000, the application may require a supervisor to log in and
authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model
provides the rules that the developers must follow to properly implement and enforce separation of duties
through software procedures.
Incorrect Answers:
A: DAC (Discretionary Access Control) is not a security model that uses an access control triple and requires
separation of duty.
B: Lattice-based access control model A mathematical model that allows a system to easily represent the
different security levels and control access attempts based on those levels. It is not a security model that uses
an access control triple and requires separation of duty.
D: The Bell–LaPadula Model is a state machine model used for enforcing access control in government and
military applications. It is not a security model that uses an access control triple and requires separation of duty.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 370-377